In mid-April 2026, a well-crafted scam launched a fake Ledger Live application that made its way onto Apple’s Mac App Store, bypassing the company’s vaunted review process and resulting in nearly $9.5 million in losses from over 50 victims.
The scam targeted semi-conscious cryptocurrency users—people who specifically use self-custody wallets precisely because they don’t trust their custodians. While removing the need for trust in a custodian is indeed an improvement in safety, migrating your trust from banks towards brands like Apple and Ledger has proven to leave you exposed.
The attackers didn’t need to breach Ledger’s hardware devices. They needed Apple’s seal of approval and their distribution network, and then leverage brand recognition: a place where users would let their guard down.
That place was Apple’s Mac App Store.
Apple is a trusted brand that centralises its App Store; it verifies all app submissions and has strict protocols for listing and maintaining your app with Apple, so surely apps on iOS and macOS should be safe, right?
Right?
The Incident: When Trust Becomes a Liability
Between April 7 and April 13, 2026, the counterfeit app drained funds from users across multiple blockchains—Bitcoin, Ethereum, Solana, Tron, and XRP—before Apple finally removed it. Three victims alone lost over $1.95 million each, with the largest single loss reaching $3.23 million in USDT.
Musician Garrett Dutton, known as G. Love, lost 5.9 Bitcoin worth approximately $438,000—his entire retirement fund accumulated over a decade.
Major oef!
How The Scam Worked?
The attackers executed one of the oldest tricks in social engineering: they asked users to enter their seed phrases. The fake app was submitted to the Mac App Store under the publisher name “Leva Heal Limited,” bearing no obvious connection to the legitimate Ledger SAS.
Yet it passed Apple’s review.
The application was designed to mimic Ledger Live with enough accuracy that users couldn’t tell the difference. When users launched the app after setting up a new computer, they were prompted to enter their 24-word seed phrase—the master key to their entire wallet.
Which leads me to believe the affected users were not seasoned hodlers.
If you’re using Ledger Live, it’s because you have a signing device.
If you have a designing device, you have your seed phrase on an airgapped device. If you have your keys on a device, you’ll never need to input your seed phrase. All you need to do is pass signatures between your device and your laptop.
This is not me throwing shade at the victims; I’ve been hacked too, so I am all too familiar with the feeling of lost funds.
The Recurring Scourge of the Fake App
The attackers engineered a version history to appear legitimate. Rather than uploading a single suspicious app, they released major new versions every few days, jumping from version 1.0 to version 5.0 within two weeks. This tactic—showing progress and updates—is specifically designed to bypass the reviews of both automated systems and human moderators who might flag a sudden new app as suspicious.
Instant Wallet Drain
Once a victim entered their seed phrase, the attackers had everything they needed. A hardware wallet only protects the seed phrase itself—the secret 24 words that unlock the wallet. The moment those words leave the device and land on a computer screen, the protection is nullified. The attackers could import the wallet into their own devices and drain funds instantaneously. The speed of these thefts is remarkable: three major losses—$3.23 million, $2.08 million, and $1.95 million—occurred across just four days (April 8-11), suggesting a fully automated draining mechanism.
Now For The Money Laundering
The stolen funds were routed through more than 150 KuCoin deposit addresses and laundered through a centralised mixing service called “AudiA6,” which specialises in obfuscating illicit cryptocurrency flows for high fees. KuCoin temporarily froze the suspicious accounts, but only until April 20, 2026. By that time, most of the funds had already been moved or converted.
But doesn’t that mean there’s a KYC attachment to those funds?
Yes, there could be, but that doesn’t mean the account holder is the user. Buying KYC accounts on dark web markets or paying someone to KYC an account in their name and hand over the logins is a pretty standard practice.
We have had examples of scammers dumb enough to KYC an account they plan to launder with, but we can’t rely on their stupidity.
Why Apple’s App Store Approval Means Nothing
Apple built its entire App Store ecosystem on a simple promise: the company reviews every app, every update, and protects users from malicious software. This review process is the justification for Apple’s monopoly on app distribution, for the 30% commission it takes on in-app purchases, and for preventing users from sideloading applications from other sources. Apple argues that without the App Store, users would be vulnerable to malware and fraud.
The fake Ledger app proves that this promise is incomplete—and arguably false.
The Problem with App Store Security
Apple’s review process is designed to catch technical malware—code that steals data, spawns unwanted processes, or attempts to access system files without permission. But the fake Ledger app didn’t need to be technical. It didn’t exploit any vulnerability. It simply asked users for their seed phrases, and the users provided them.
What Apple’s reviewers should have caught was obvious: Ledger does not distribute Ledger Live through the Mac App Store. Ledger’s official app is only available on Ledger’s website. Any version appearing in the Mac App Store is by definition fraudulent. The real Ledger also explicitly states that it will never ask users to enter their seed phrases into any app or website—only into the hardware device itself.
A Single Question That Would Have Prevented This
An effective security review would include a single question for wallet and financial apps: Does this app ever ask users to enter sensitive credentials like private keys or seed phrases? If the answer is yes, that alone is a red flag. No legitimate wallet software should ever ask a user to type their seed phrase into a screen.
The fact that this fake Ledger app passed review—and remained on the store for two full weeks—suggests that either Apple’s reviewers are not screening apps in this category with appropriate rigour, or the review process itself is too cursory to catch these red flags.
The Scale of the Problem
Apple’s own statistics attempt to justify the review process. In 2024, Apple reviewed over 7.7 million submissions and rejected 1.9 million of them. However, these numbers prove the opposite of what Apple intends. With roughly 9,000 apps reviewed per month on average, and only 1.9 million rejections out of 7.7 million reviews, approximately 75% of submitted apps are approved. The fake Ledger app was among them.
Seed Phrases Are The Master Keys—And They Must Never Touch Your Computer
This incident crystallises a critical principle that every cryptocurrency user must understand: your seed phrase is not a password you enter—it’s a physical secret that should never touch a connected device.
The Hardware Wallet Promise
Hardware wallets like Ledger work because they isolate the seed phrase on a disconnected device. Your computer never sees it. Transaction signatures happen inside the device, on a secure screen that the user controls. This design means that even if your computer is infected with malware, stolen, or compromised, your funds remain safe. The seed phrase never enters the hostile computer environment.
The Protection Has Limits
The moment you type your seed phrase into your computer—into any app, any website, any “secure form”—the protection is gone. Even if that app looks identical to the official Ledger app. Even if you found it in the Mac App Store. Even if it’s running on your own computer. The attacker doesn’t need to touch the hardware wallet anymore. They have everything they need to recreate the wallet on any other device and drain it instantly.
Garrett Dutton, the musician who lost his Bitcoin, knew this rule. He had been in cryptocurrency since 2017. He understood hardware wallets. And he was still caught off guard. In a follow-up post on X, he wrote: “I been in the crypto circus since 2017. Today they caught me off guard.”
A Pattern of Failed Review Processes
The fake Ledger app on Apple’s Mac App Store is not an anomaly. Across multiple official app stores—Apple, Google, and Microsoft—attackers have successfully distributed fake wallet apps that drain funds. These incidents reveal a systemic problem in how major platforms review financial software.
| Incident | Platform | Loss | Year |
| Fake Ledger Live (Mac) | Apple Mac App Store | $9.5 million | 2026 |
| Fake Ledger Live (Windows) | Microsoft Store | ~$600,000 | 2023 |
| Fake WalletConnect (Mobile) | Google Play Store | $70,000+ | 2024 |
| Trust Wallet Extension (Hacked) | Chrome Web Store | $7 million | 2025 |
Notable Fake Wallet Draining Incidents
- Fake MetaMask Browser Extensions – Scammers have repeatedly created and distributed fake MetaMask extensions that steal seed phrases. Unlike the Ledger incident, these typically come from phishing sites rather than official app stores, but they demonstrate the vulnerability of browser-based wallets. MetaMask’s own documentation lists spoofing scams as one of the top threats to users.
- Trust Wallet Chrome Extension Compromise (December 2025) – Trust Wallet’s Chrome extension was compromised through a leaked API key, allowing attackers to inject malicious code into version 2.68. The affected extension passed Chrome Web Store review and affected nearly 2,600 wallet addresses with $7 million in losses. Binance, which owns Trust Wallet, promised reimbursement.
- Fake MetaMask iOS/Android Apps – Security researchers have documented multiple fake MetaMask mobile apps distributed through phishing sites and occasionally slipping through app store filters. These ask users to enter seed phrases and grant attackers immediate wallet access.
- Fake MetaMask 2FA Phishing Campaign (January 2026) – Attackers sent emails impersonating MetaMask support, claiming that two-factor authentication was “mandatory” for security. Clicking the button led to a phishing site where users unknowingly entered their seed phrases. This campaign drained over $107,000 across multiple wallets.
List of Fake wallet Incidents
- Fake Ledger Live Mac App (April 2026):
- CoinDesk Article: Fake Ledger App
- BleepingComputer Report:
- Fake Ledger on Microsoft Store (2023):
- Trust Wallet Chrome Extension Breach:
- Trust Wallet Full Report:
- Fake WalletConnect on Google Play:
- MetaMask 2FA Phishing Campaign:
Protecting Yourself: The Rules That Matter
If you use hardware wallets, follow these rules without exception:
- Never type your seed phrase into any device that has a network connection. Not your laptop, not your phone, not an app, not a website. Ever. The only screen your seed phrase should see is the hardware wallet’s secure screen.
- Download official wallet software only from the publisher’s website, never from app stores. Ledger’s official app is at ledger.com. MetaMask is at metamask.io. Don’t search your app store for these names.
- If a wallet app asks for your seed phrase, it’s a scam. Full stop. Real wallet software will never ask you to type your seed phrase into your computer. If it does, close it immediately.
- Use a hardware wallet for any significant amount of cryptocurrency. Hardware wallets like Ledger and Trezor cost $60-100 and are the most reliable way to protect your funds. They keep your seed phrase offline and require physical button presses to approve transactions.
- Verify domain names manually. Don’t click links from emails or messages. Manually type the website URL into your browser to ensure you’re on the official website. Scammers use domains like “metamask-io.com” or “ledger-offical.com” that look almost identical.
- Don’t assume official app stores are safe. Apple, Google, and Microsoft review apps, but their review processes are not foolproof. This incident proves that. Additional due diligence—checking the developer name, verifying the official website, and understanding what the app should and shouldn’t ask for—is essential.
The Implications for Apple
This incident undermines Apple’s core argument for controlling app distribution. Apple has used its exclusive app store and review process as justification for preventing sideloading and alternative app marketplaces. The company argues that users need protection from malware and fraud, and that only Apple’s review process can provide it.
Yet here is a $9.5 million scam that passed through Apple’s review.
Apple’s statements about the incident have been minimal. The company removed the app, terminated the developer account, and pointed to its review guidelines. But it did not explain how a fake wallet app requesting users’ seed phrases was approved in the first place.
Fake Apps have real consequences
The fake Ledger Live app on Apple’s Mac App Store represents a perfect storm of social engineering, platform oversight, and user trust. It targeted people who were already security-conscious enough to use hardware wallets, yet still managed to convince them to voluntarily surrender the master key to their wallets.
The incident reveals that official app store listings provide no meaningful security guarantee for financial software, and you’re still using them at your own risk. Platforms like Apple, Google, and Microsoft can and do approve malicious or fraudulent apps. Users cannot rely on these stores to protect them from cryptocurrency scams.
The only reliable protection is understanding the first rule of hodling: your seed phrase is your wallet’s master key, and it must never touch a connected computer.
If you follow that single rule, no fake app—no matter where you download it—can steal your funds.
